CJEU widens the scope of sensitive personal data under the GDPR

On 1 August 2022, the Court of Justice of the European Union (“CJEU”) in the case of OT v Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission) (Case C-184/20) ruled that the publication of personal data indirectly disclosing the sexual orientation of a natural person constitutes processing of special categories of personal data for the purposes of Article 9(1) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”).

Case Background

The case primarily emerged from a Lithuanian anti-corruption law which requires natural persons working in the public service, or establishments receiving public funds to fill in a declaration of interests which would be published on the Chief Ethics Commission’s website, as the controller, making such information publicly and widely accessible online. Such disclosure is designed to favour transparency and prevent conflict of interests in the public sector. OT, a director of an establishment under Lithuanian law in receipt of public funds, did not comply with this requirement. OT argued that as a non-governmental organisation they do not fall under this category as the activities that they carry out are independent from public authorities. More importantly, they also argued that it would adversely affect the right to respect for private life of the persons whom they would be required to mention in the declaration.

The Regional Administrative Court in Vilnius, Lithuania decided to stay proceedings and refer the following questions to the CJEU for a preliminary ruling:

  1. Whether the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, with regard to the requirements laid down in Article 6(3) of the GDPR, including the requirement that the Member State law must meet an objective of public interest and be proportionate to the legitimate aim pursued, and also with regard to Articles 7 and 8 of the EU Charter of Fundamental Rights (the “Charter”), be interpreted as meaning that national law may not require the disclosure of declarations of private interests and their publication on the website of the controller, thereby providing access to those data to all individuals who have access to the internet; and
  1. Whether the prohibition of the processing of special categories of personal data under Article 9(1) of the GDPR, especially with regards to the question of ‘necessary for public interest’ and ‘proportionate to the aim pursued’ must respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject – such that it is interpreted as meaning that national law may not require the disclosure of data relating to declarations of private interests which may disclose personal data, including data which make it possible to determine a person’s political views, trade union membership, sexual orientation and other personal information, and their publication, providing access to those data to all individuals who have access to the internet.

Legal Considerations

The main objective of Directive 95/46 (the “Directive”) is that of ensuring a high level of protection of the fundamental rights and freedoms of natural persons with respect to the processing of personal data, primarily when read in conjunction to the GDPR and in recognition of Article 7 and 8 of the Charter. Within the meaning of Article 2(a) of the Directive and Article 4(1) of the GDPR, information on natural persons which can be identified by their forename and surname and is intended to be published on the Chief Ethics Commission’s website, constitutes personal data. Furthermore, the operation of loading personal data on an internet page constitutes processing, within the meaning of Article 2(b) of the Directive and Article 4(2) of the GDPR.

Under Article 7(e) of the Directive and point (e) of the first subparagraph of Article 6(1) of the GDPR, processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is lawful. However, the legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued such that the CJEU highlighted how the fundamental rights to respect for private life and to the protection of personal data, guaranteed in Articles 7 and 8 of the Charter, are not absolute rights, but must be considered in relation to their function in society and be weighed against other fundamental rights.

Additionally, seriousness of that interference must be weighed against the importance of the objectives of preventing conflicts of interest and corruption in the public sector. The nature of the personal data at issue, in particular any sensitive information in those data, as well as the nature and specific methods of processing the data, in particular the number of people with access to those data and the methods of accessing them, must all be taken into consideration in determining how serious that interference is.

Opinion of the Advocate General of the Court

The rationale behind the CJEU’s ruling was determined after examining whether name-specific data could reveal the sexual orientation of a natural person by means of an intellectual operation involving comparison, inference, or deduction. The Advocate General in his Opinion has made a distinction between ‘revealing’ and ‘concerning’, such that he believes that the former implies “an intellectual exercise involving deduction or cross-referencing” but the latter “strikes a more direct and more immediate link”. However, the CJEU did not adopt the Advocate General’s view as this would result in distinctions being drawn according to the type of sensitive data at issue, thus diminishing the standard of protection which is intended to be afforded to special categories of personal data.

Case Implications

Through this ruling, the CJEU has adopted its general view of widening concepts in such a way that personal data about one person, like the name or gender, can also reveal personal data about another person. Therefore, the abovementioned personal data factors can emerge not only from the data subject himself, but also from people connected to such person.

The CJEU’s judgement can also be broadened to influence other forms of online processing in any context where Article 9 of the GDPR is applicable, as it extends the concept of ‘revealing’. This includes, for example, location data indicating places of worship, or dating apps where sensitive inferences can be made about individuals.

Thus, it can be concluded that the concept of sensitive data has progressed both de jure and de facto; and with the development of Internet of Things and the ever-increasing degree of interconnectivity, more personal data being viewed as sensitive in nature is a concrete possibility. The wide interpretation given to special categories of data could mean that an ample amount of data can be categorised as ‘sensitive’ in such a way that the CJEU, through this judgement, has set a formal bar that in practice, could potentially be difficult to manage.

This article was first published in the Malta Independent (21 September 2022).